Recent I wrote about Speaker style bingo which called out a bunch of common anti-patterns I see (and indeed have done myself) in technical talks. If I’m honest, I’m a bit surprised at how much attention that post garnered and it appears to have really resonated with people. When I wrote that post, I was back home but between speaking events in Europe so was both reflecting on the talks I’d just done and preparing for the upcoming ones. I find that writing material like that really helps me crystallise things in my mind so whilst it’s great that many people found it useful, I was also using that exercise as preparation for my next big talk, an all-new one on the other side of the world, one I’d never done before.
This post is the flip side that – the post-talk post, if you like. The talk I was preparing for is Making Hacking Child’s Play which I delivered to a packed out room of over 500 people at NDC in Oslo. So how did it go? Well out after 150 speakers delivered over 200 talks, here’s where it wound up on the leader board:
There are a couple of hundred other entries below this with my talk way out on top and clearly I’m enormously happy about that. But I’m not writing this as some form of self-ingratiating blog post, instead I wanted to share the video and talk through the things that I believe made it such a hit. Indeed the process of me doing this also helps me improve both this talk and my own presentation style; I can make this better by explaining it to you and I hope that many you are able to take this and make your talks better too.
So first things first, here’s the talk, I’m going to make notes below it that correlate to chronological points in the video and explain what I’m doing. If you’re really interested in how I made this talk work, watch the video and read the notes as it progresses:
00:00 – People were entertained as they arrived
Usually the stage is empty as people fill into a room and are greeted by a static screen. Either that or you’ve got a presenter behind a lectern doing their best statue impersonation or fiddling with their PC. I wanted people to be engaged and entertained as soon as they arrived which is why I played the How to Talk Australians video.
This was a bit of a gamble; there was every chance it was either not going to work culturally when I was on the other side of the world or some people may even be offended. What I had going for me in Oslo though was that NDC was Australia-themed as they’ll be down here next year so everyone had a bit of an Aussie buzz going on. It was also a densely populated room and peoples’ laughter became infectious; it doesn’t come through in the video as they only recorded the audio from that and not the room, but there were raptures of laughter that had everyone in a good mood right from the beginning.
I started playing this at exactly T-4 minutes before my session was slated to begin so I came on stage right as the time slot started.
03:40 – An excited audience and an amusing beginning
By the time I came on stage, everyone was already smiling and laughing and it was easy to say “Who wants to come to Australia now” and get an engaged reaction. Norwegians tend to be very quiet compared to audience in other parts of the world like Australia and the US so this was a big win.
Rather than go straight into the usual “name rank and serial number” slide, I decided to talk a bit about the humorous side of Australia. Again, this worked especially well because of the NDC link, but in all honesty I’d already written the preso before knowing that they’d be promoting NDC Australia. I find this also adds some context about me as a speaker – I’m a foreigner there and this allows me to express some personality and info about where I’ve come from that I think makes the speaker more relatable.
I also mention Norway and squirrels. You only get a small fraction of the audience laughter coming through from my mic, but this had a lot of people amused. Relating your stories back to the place you’re speaking in (even if it’s just another city) helps connect with the audience. It brings relevancy and context to where you are and I do that multiple times later on with the Sweden jokes too.
The one thing I notice in this preso that I don’t like (and is already evident early on), is the pacing around. Movement is good, different points on the stage during different parts of the preso are good, but I don’t think the constant pacing is good.
05:50 – No personal intro plus free things and auto-tweets
I have my name and my Twitter handle on the slide and that’s it. I’ve previously done the “I’m Troy Hunt and I am all these things and I’ve done all those things blah blah” but I honestly don’t think this adds any value. It’s a bit self-ingratiating and people probably already know who you are because it’s on your bio next to the talk!
I gave away free Pluralsight passes to everyone and I think leaving people with something is a great way to get longer term engagement. I’ve seen a speaker previously give away a little card with links to everything of relevance to his talk it and I reckon that’s great too. Anyone can do that and it’s something that sticks with the attendee – literally something they have on their person – once they leave the talk.
The auto-tweets is something I’ve done several times before using FutureTweets. It not only gets engagement from the audience, but your followers get a sense of what you’re doing even from the other side of the world. Plus you get people saying how awesome it is when tweets line up with the content you’re talking about. That requires really good timing though; I rehearse like crazy and refine tweet timing down to the nearest minute of the talk.
07:20 – Demos start
In fact if you take out the intro video, we’re really only a few minutes into the talk before I start showing stuff. Yes, it’s only a search in a browser but it’s something actually happening for real – it’s not a pre-canned set of images or recorded video, something is actually happening. You’ll see that I switch between slides and demos a lot; slides keep me to an overarching structure, demos keep it more impromptu and real. Frankly, I hate going to technical talks and only seeing slides. Even when the speaker is engaging, I just feel a little short-changed and it never leaves a lasting impact like actually seeing stuff happen does.
When I show the FBI warning, I do think there’s probably too much content on the screen. I really try to keep words off screens bar important titles or things that people can read at a glance. The risk of this slide is that people are reading that content and not listening to me so I could probably find a better image here.
When I actually jump into the browser, you’ll note I’ve got a heap of tabs open already. This is everything I need already queued up which does multiple things for me:
- Means I see what I should be showing next courtesy of what’s on the next tab
- Isolates me against some risk of the connection dropping out
- Means I can get font sizes right for the screen before showing it to the audience
On that last point, the second tab has fonts that are too small. I should have increased the font size on this browser tab during the setup once I knew what res I’d be on. I get away with it by talking through it and then showing things work, but it could have been slicker. I do actually knock the font size up once the results come back from the search; note how much easier the content is to digest then. Same with the Google results that come back a little bit later.
08:40 – I make sure I keep momentum while things process
When I hit the search button on the Google Hacking Database page, it takes nearly 10 seconds to load. There’s a real risk of people pausing while they wait for a result and it can wreck the momentum of a talk. The joy of conference wifi is that you just don’t know how long these things are going to take and the same applies for if you’re doing a demo that compiles a solution or opens an app or does anything else that could take a while. Don’t fall into the “we’re waiting, we’re waiting” trap!
In this case, I’m basically adlibbing on the topic until I see a result. You’ll see this happen multiple times throughout the talk and it’s taken a lot of practice made all the easier by understanding the topic in depth, but the ability to talk “off the cuff” is critical to successful talks IMHO.
12:30 – Humour leads to seriousness as emotional pace changes
I like to try and oscillate a bit between using humour and entertainment to make points to then reflecting on serious incidents, for example Charlie Hebdo. IMHO there needs to be some emotional ups and downs just like you’d find in a movie or a story; some stuff that makes people go “holy crap” in amongst the laughter and general entertainment.
13:30 – Engage the audience with questions
Admittedly I don’t do this very much in this talk and it’s primarily due to the more introverted nature of this audience. I’d seen speakers really struggle to elicit feedback from people over the preceding days so when I did ask questions I ensured they were things I didn’t really need answers for. Asking “who had an account on Adult Friend Finder” is a question I expected to get no answer to and that was just fine, but it still gave me a chance to ask something then look around for responses.
For audiences that are more forthcoming, this really helps with engagement. You’ll see it happen at other times during the talk to and it can be a great tool, you just need to plan for a quiet audience as well and make sure that it doesn’t leave you standing there in an awkward silence.
14:10 – Sex sells, but it’s not the story
This is the first time I’ve done a talk with a big “You will get laid” slide! Like the intro, this can backfire if the audience isn’t right or the mood is more demure, but you can clearly hear how this was received by the NDC audience.
But here’s the thing with this segment: it’s not about sex, it’s not about Adult Friend Finder and indeed it’s not even about their breach. It’s about account enumeration and everything leading up to that is telling a story. It’s getting people engaged, piquing their attention and making them sit up and listen. Story telling is a great way to lead into the actual message you’re trying to get across as it contextualises things. I could have just said “password reset pages disclose the existence of accounts” but instead I spent several minutes leading into it to maximise engagement and impact.
18:20 – Tangential stories and stage management
I ask if people know what Mailinator is which I expect to get a low response rate on. Now Mailinator really isn’t the thing I’m focusing on but it allows me to make the talk feel a lot more casual and leave people with something useful. I leave the PC and walk to a new spot on the stage – I change context – and then I explain what it is.
This is also a great time-filler if I’m tracking too fast. In the earlier mentioned post about speaker style bingo, I show how I have a sheet with precise timing and an iPad stopwatch running to keep things in check. These tangential stories help me fill gaps if I’m running too fast and again, they’re possible because I’m comfortable enough with the topic that I feel I can talk about it ad hoc without any actual preparation.
Actually, just on that last point, I’ve done several two hours talks recently with nothing more than half a dozen bullet points. These are not “formal” talks like I’m discussing here, but presentations to companies or other audiences who just want to hear me talk about security. It’s a great way of practicing how to think on your feet.
22:00 – Give people actions to take away
I show the Supercar Showdown site from my Pluralsight courses and welcome people to hack it. It’s a great thing they can leave the talk with – an action they can then follow up on. As much as I want people to be entertained at my technical talks, I want them to be able to do stuff with them so providing a resource like this should lead to people walking out with something immediately actionable.
23:40 – Embiggen things
I use Zoomit to get up close and personal with anything that might be a bit obscure or not immediately apparent to the audience. I not only zoom, but I annotate with the little built in drawing tool as well. This is something you want to overcompensate on in terms of showing things in large type particularly when you’re whizzing through a concept like this one. It’d be easy for people to get lost (and I’m sure some probably did anyway), so highlighting things in this fashion is important.
25:30 – Videos
I’ve started using embedded videos in my presentations more. You see it multiple times in this presentation and I think (although am not entirely convinced) that the right video in the right place works quite well. There’s a risk of it not gelling with the audience (like any content, I guess), but it can be quite powerful to demonstrate a point. I think this one works well in terms of pointing out XSS risks because it’s both impactful and entertaining. Similar deal with the one later on Betsy and her wifi. I do think it’d be easy to slip into overuse though and I hope that’s not something I’ve done with this talk.
One other upside to showing videos – it gives you to time to collect your thoughts, take a drink and check where you’re going next. The audience gets engaged in the video and gives you a bit of free time to pull yourself together. You can see me doing this on the stage each time a video is shown, but I doubt the audience really noticed as they were focused on the big screen.
26:40 – Profanity and reading your audience
Firstly, regardless of individual stances on profanity, everyone recognises there are degrees of it or at least degrees of severity in terms of your choice of words or terms. I utter an “Oh shit” at a time when people are laughing and everyone is pretty relaxed. It’s contextual, it’s only repeated one other time towards the end and in the scheme of things, it’s pretty mild. There are audiences where I wouldn’t do this and there are audience where I’ve taken it a lot further, the point is that I choose these words carefully, much more so than the casual off-hand way of muttering them suggests. It can add emphasis and impact or it can potentially offend so yeah, tread with caution.
27:00 – Making boring things entertaining and linking to existing stories
There’s no subtle way to put this – content security policies are boring. No really, they’re massively boring and had I just shown their practical implementation it would not have made for good viewing. Useful, yes and perhaps a few people would have taken that away and done something with it, but I turn it into something entertaining by showing the Harlem Shake script. Of course this is a completely pointless exercise, making random pages shake in the DOM, but it gave me an avenue to show CSPs in an impactful way.
It also gave me continuity from the XSS demo. I managed to show the banks shaking from real XSS attacks and then seamlessly slip into CSPs by showing how exactly the same behaviour could be stopped by browser policy. If I’m honest, one of the things I struggled with a little in this talk was taking a bunch of independent topics and trying to splice them together into some semblance of a cohesive story. It bugged me that XSS and CSPs aren’t really child’s play per se and I couldn’t tie it back directly to the overarching story.
33:00 – Recovering from a mistake (and not apologising for it)
Did you spot it? Hopefully not, but I completely forgot to show the xssposed.org website at the right time. I had intended to show this right after the XSS piece and before CSPs but completely forgot. It was only after I saw the open tab (remember how I said these help me keep track?) that I remembered. But I spliced it in pretty smoothly and continued.
Now one other thing on that – when stuff goes wrong and it will go wrong, I very consciously avoid apologising. The main reason is that I don’t want to dwell on the issue and draw attention to it, I want to recover and move on as fast as possible. This often means moving to a backup and I have backups for everything that could possibly go wrong.
34:00 – Contextualise the technology with awesome visuals
Something like DDoS attacks are not well understand by the broader spectrum of my audience when we’re talking about a developer conference. For people to be able to rapidly visualise this I pulled out the Norse map which is just awesome. This really helps visualise the risk and takes something that can be viewed as academic and turns it into something you can absorb at a glance. It establishes scale and significance before trying to then delve more into how these things actually occur.
36:30 – Audience participation
I do this from time to time and it always rocks. People don’t expect to see audience participation and taking the talk in a really unexpected direction gets everyone’s attention very quickly. One of the reasons I do this in security talks is it allows me to take a concept that might seem foreign or complex (I also do this with SQL injection) and show how easily accessible it really is by having someone totally “green” mount the attack (or use the technology, as it may be). It also adds unpredictability – I never know how these things will pan out and they’ve gone in some hilarious directions before.
I try and do something like this around the middle of the talk as it adds a lot of energy back into the room. People are laughing and it ends with everyone clapping which I find lifts the mood around the halfway mark.
41:30 – Direct discussion with audience members
I talk directly to a couple of guys in the audience who were saying “shut up and take my money” after seeing the DDoS video. It’s only very brief, but I find that when you connect directly with individuals in the crowd it makes the speaker more relatable. Maybe that’s not quite the right word for it, but the one-on-one interaction adds another dynamic.
48:10 – Reinforce what it is you’re trying to teach
I find it’s easy to get carried away with showing cool things and actually miss the opportunity to leave people with the information they need to actually do something about it. After talking about the poor Starfor password storage, I say “So here are the lessons from this” and then talk about recognising poor password practices by users and poor practices on websites. I probably should have talked about more appropriate hashing algorithms as well so that might have been a lost opportunity right there.
52:50 – I lip synced, and that’s just fine
There, I’ve admitted it – I faked a little. I told people I was connecting to “Betsy’s Free Wifi” when in fact I hit the escape button instead of joining that network. I actually agonised over this for days and the problem is that the Pineapple can become quite unreliable with a room full of other peoples’ devices. There was a very high likelihood I’d have a repeat of NDC 2014 where I’d be left with a failing demo, so I faked a portion of it.
What I did was stood up the three websites I showed on my local IIS instance and added host headers for ikea.com, americanexpress.com and fbi.gov. When I showed the random rolls that appeared on those addresses, they were served directly from my local machine. When I went to haveibeenpwned.com it went out over the real connection and it loaded the actual site.
Now I could have explained that I was faking and it would have lost a lot of its impact, not because people would have gone “Oh, he’s just faking” but because they would have been focussing on that message and not the message I really wanted them too which is the dangers of HTTP comms. I’m quite ok with manufacturing demos in this way so long as it appears absolutely seamless and I could turn around and show the real thing on the spot (potential reliability issues aside). Keep this in mind in the future as IMHO, this was an enormously good move in terms of making a slick demo.
59:00 – The Wifi Pineapple and other peoples’ devices
If you’ve watched my talks before, you’ve probably seen this feature and I want to put some context around why it works so well as a speaker. The Pineapple draws everyone into the talk; it literally makes them part of it because not only do a bunch of people see their own devices on the big screen, they also see the networks they’re looking for and they can turn on their own devices and see the networks they’re broadcasting. Unlike the previous point above, this was all real and not manufactured in any way, indeed that’s what made it so impactful.
The last couple of minutes ends with me showing people their own devices on the screen and throwing chocolate into the audience. I repeat that over and over again – “Who can see their things on the screen?” – then throw chocolate. Now I’m not saying that every talk should end like this and indeed I wouldn’t always do that, but it builds engagement and interaction.
The ending of a talk is really important because that’s the last thing people will remember not just when they’re doing their eval or voting for you, but because that’s the lasting memory they’ll go home with. I always try to finish on something impactful and arguably I could have shown that last bit on the Pineapple in a more impactful way. Regardless, it ended on a fun note and the scores obviously show that people left happy.
I hope this has been a useful breakdown for would-be speakers and people who are just interested in what goes into a talk like this. Thanks for reading.